Security weaknesses in the Financial Information Exchange (FIX) protocol have left many of the applications that power financial services companies vulnerable to attack, according to Matasano Security.
FIX was first introduced in 1992 to handle equity trading communications between Fidelity Investments and Salomon Brothers, and is now virtually the industry's standard for front-office communications. It is designed to handle real-time information exchange related to financial transactions, and is used by both institutions on the buy-side and brokers and dealers on the sell-side.
The protocol may handle securities trading, but wasn't necessarily built for security, according to Matasano. Researchers said applications supporting the protocol can be affected by remote denial-of-service, session hijacking and man-in-the-middle attacks, as well as electronic eavesdropping.
Matasano's Dave G and Jeremy Rauch plan to detail the vulnerabilities discovered by the firm at the Black Hat USA security conference in Las Vegas on 2 August.
While the company is not releasing details at the moment, Matasano CEO David Goldsmith gave a suggestion of the types of weaknesses present in a report from security website Dark Reading on Friday. Goldsmith said the problems are partly related to the fact that FIX has no built-in session-layer encryption, that many FIX-enabled financial programs don't use session passwords and that the applications are mostly written in C and C++ code that isn't necessarily well audited.
Applications supporting FIX were often designed for internal use, and thus weren't considered to need much security, the company said. Because of its narrow focus, the protocol hasn't been well served by security tools, and isn't generally supported by intrusion detection systems or vulnerability scanners, Goldsmith said.
FIX executives were unable to respond to Matasano's claims at the time of writing.
Goldsmith added that companies can help protect themselves with firewalls and third-party session encryption.
FIX isn't the only financial industry protocol riddled with holes, Matasano said. Despite the fact that such financial systems handle trillions of dollars' worth of transactions, the protocols they are based on are not designed with security in mind.
"Unlike the protocols that comprise the Internet as a whole, these haven't been scrutinised to death for security flaws," Matasano's Rauch said in a statement. "They're written with performance in mind and security is often just an afterthought, if present at all. And there are dozens of them."